|
|
Posted by axlq on 07/30/06 02:15
Someone please tell me if I've discovered a PHP bug.
I'm sitting in front of several computers on my home network, behind
a NAT firewall/router. I am testing my web site on these different
computers (running different browsers, logged in as different users,
etc.). My web site keeps track of users logged in through the use
of $_SESSION.
Here's the bizarre thing: All computers are logged off, then I log
into my web site with one computer -- and when I browse my site from
another computer it behaves as if logged in! And if I log off with
one computer, all other computers subsequently behave as if logged
off! This happens also with different browsers (say IE and Opera)
running on the same machine.
This is especially serious because I have four classes of users:
non-logged-in visitor, logged-in user, paying customer, and
superuser. Logging in as superuser, for example, gives superuser
privileges to ALL computers on my home network!
AAAARRRGH!! I can't figure this out. It seems that $_SESSION is
using *only* my IP address and no unique identifying information
from the browsers on my network. Is this a php bug?
Background:
Here is basically what I'm doing. All scripts first contain a
require_once() directive that includes a file which executes the
following statements right up front:
session_save_path("/home/mydomain/public_html/lists");
session_name('login_settings');
session_start();
(Naturally, the save path exists, and it contains session data
files.) Then, each script calls a function isLoggedOn() to
determine the type of user logged in, if any:
function isLoggedOn()
{
if (isset($_SESSION['superuser']))
return 'superuser';
if (isset($_SESSION['customer']))
return 'customer';
if (isset($_SESSION['user']))
return 'user';
return NULL; // unregistered or not logged in
}
Upon receiving the return value from isLoggedOn(), the script
behaves exactly the way it should depending on what type of user is
logged in. The value of $_SESSION['user'], $_SESSION['customer'],
and $_SESSION['superuser'] is the user's ID in the MySQL table for
that user type; the value is set by a login.php script.
I have three login.php scripts: for normal users, customers, and
superuser. Each login.php script queries the appropriate database
for user ID and password, and then sets some $_SESSION values.
Here, for example, is what happens with $_SESSION when a normal user
logs in. Note that it ensures that the customer and superuser types
are unset upon this login:
if ($sql->rows) {
$userid = $sql->GetValue('id');
if ($userid) {
$_SESSION['user'] = $userid;
if (isset($_SESSION['admin']))
unset($_SESSION['customer']);
if (isset($_SESSION['superuser']))
unset($_SESSION['superuser']);
header("Location: http://www.example.com/userindex.php");
} else header("Location: http://www.example.com/login.php?error=1")
} else header("Location: http://www.example.com/login.php?error=1")
Logging off shouldn't leave anything behind from prior users,
deleting all $_SESSION data, killing the session cookie, and finally
calling session_destroy(). So here's my logout.php script for all
user types. It does seem to work correclty:
$CookieInfo = session_get_cookie_params();
$_SESSION = array(); // unset all session values
if ((empty($CookieInfo['domain'])) && (empty($CookieInfo['secure'])))
setcookie(session_name(), '', time()-3600, $CookieInfo['path']);
elseif (empty($CookieInfo['secure']))
setcookie(session_name(), '', time()-3600, $CookieInfo['path'],
$CookieInfo['domain']);
else
setcookie(session_name(), '', time()-3600, $CookieInfo['path'],
$CookieInfo['domain'], $CookieInfo['secure']);
unset($_COOKIE[session_name()]);
session_destroy();
I'm at my wit's end, almost ready to manage my own cookies and dump
this PHP session handling stuff. I'd rather not though; I like
having the one session cookie with sensitive data stored on the
server. *Other* sites don't behave this way if I log into them
simultaneously from different computers on my home network. What's
wrong with MY site??
-Alex
Navigation:
[Reply to this message]
|